GDPR – panic … or not?

GDPR is beset with myth, rumour, and so-called experts. The amount of confusion and misinformation provided is incredibly detrimental. And this is largely because many organisations and individuals who are trying to promote their services are using fear tactics to do so.

But they’re missing the point.

We have a Data Protection Act currently in place, and Privacy and Electronic Communication Regulations to support it. Any organisation which is ignoring the current data protection legislation has every reason to panic about GDPR. Ignorance is no excuse. And they won’t be able to get away with ignoring GDPR willfully just because they consider data protection an inconvenient restriction preventing them taking unethical actions to make more money.

On the other hand, organisations who conform to the current legislation have a head-start when addressing how to comply with the new regulation.

GDPR – a simple summary

At its simplest, GDPR is a long-overdue evolution which is primarily about all organisations (whether data controllers or data processors):

putting the individual first

being held accountable for protecting that individual’s data

At the same time, GDPR addresses the vast changes to the data landscape since the original data protection legislation of the 1990s:

it takes account of technological advances – bear in mind, there was barely an internet in the early ’90s!

it seeks to protect EU citizens from misuse of their personal data wherever that data is processed

it addresses (at least in part) the disparity in data protection legislation throughout the EU and its members

GDPR increases both compliance obligations on the part of organisations, and enforcement powers on the part of the regulator.

Compliance Obligations: The principle of Accountability puts a heavy administrative burden on data controllers and data processors. Robust record-keeping in relation to all data processing is essential; evidenced decisions around data processing will be critical.

Enforcement Powers: Yes, there are massive fines for non-compliance. And yes, they will go up to £20,000,000 or 4% of global turnover. But is that really the key headline?

GDPR’s Key Message: Put the Individual First

As GDPR comes closer, individuals are going to become increasingly aware of their rights – new and old

All organisations who process personal data need to understand that individuals must be treated fairly, and have, under GDPR, greater rights than before. This means that organisations need to be transparent about their data processing activity, and take full responsibility for protecting the personal or personally identifiable data they process.

What does that mean in practice?

Tell the individuals what you intend to do with their data – and make it absolutely plain what you mean

Explain that there’s a value exchange – by all means help them understand the benefits to providing the data and allowing the processing – but don’t tell lies, and don’t mislead them

If you don’t want to tell them what you’re doing … you probably shouldn’t be doing it

If you need their consent, make sure you obtain it fairly, with simple messaging and utter clarity around precisely what it is to which they are consenting

Tell them all their rights (including the right to withdraw consent; to object to processing where relevant; to be provided with all the information you hold about them, to be forgotten, etc)

Always balance your rights as an organisation against their rights as an individual

Look out for your Reputation

Never underestimate the reputational damage caused by a data breach

The Information Commissioner, Elizabeth Denham, states clearly that, while the ICO has heavy-weight power to levy massive fines, “we intend to use those powers proportionately and judiciously”. So the ICO may issue warnings, reprimands, corrective orders and fines, but that could be the least of your worries.

Something that tends to be overlooked when talking about penalties of non-compliance is reputational damage. All the ICO’s sanctions (from warnings to fines) are published on the ICO website. And the press loves nothing more than a nice, juicy data breach.

So even if no fine is levied, reputations will suffer. At worst, customers will be lost. Shareholders will lose confidence. Revenues will decline. Board members will lose their jobs. And, to quote Denham again, “You can’t insure against that.”